š
Original date posted:2014-01-30
š Original message:Please note, responding to Pieter and Chuck concurrently.
On Thu, 30 Jan 2014 07:16:54 -0800, Pieter Wuille
<pieter.wuille at gmail.com> wrote:
> Currently, with the specification and implementation in Bitcoin Core,
> if a merchant wants to use the refund or memo feature, they need to
> provide an alternative route for delivering that information to them
> *before* the transaction is made, as sending the transaction may
> result in the transfer of funds without knowing what to do with it (if
> their receive server is down at the right time) and potnetially no way
> to contact the sender. This makes these fields utterly useless.
>
> This is not a matter of letting wallets experiment with the best
> behaviour. This is removing the ability to rely on the payment
> protocol being bidirectional.
I think we want to separate the two issues;
1) Reliably getting refund/memo fields to the merchant/payee
2) Who broadcasts a TX, how it's retried, how outputs are 'locked' and
if/when they should be [double]-spent to clear them
We should be able to solve '1' without having to fully spec out behavior
for 2.
On Thu, 30 Jan 2014 07:16:54 -0800, Pieter Wuille
<pieter.wuille at gmail.com> wrote:
> I don't care whether wallets broadcast the transactions or not (they
> can experiment with that as they like). But we should take measures to
> prevent a transaction for being broadcast without the payment being
> delivered. One way is never broadcasting the transaction yourself.
> Another is retrying to send the payment if delivery fails.
>
> Here is what I would suggest to add to the specification:
> * If a payment_uri is specified, the client must attempt to send the
> payment there.
> * If a transaction is broadcast (which is permitted even if sending
> the payment fails), a client should make a reasonable attempt of
> delivering the payment (remembering, retrying, ...).
> * If a paymentACK has been received, the client is no longer
> responsible for broadcasting the transaction (but still may).
To reliably deliver refund/memo fields, we could;
a) Send them as part of the initial request for the
PaymentRequest/PaymentDetails
b) Send them as a response to the PaymentRequest/PaymentDetails before
the transaction is even formed and any unspent outputs are selected
c) Send them as a response to the PaymentRequest/PaymentDetails with the
UNsigned transaction, and then follow up with the signed transaction in a
separate message.
'a' is problematic because while wallet software could easily append some
data to the queryString, it doesn't work if the user is downloading then
opening the PaymentRequest as a file. So 'a' is a no-go I think.
'b' is fine, if not overly chatty. The only thing committed is a refund
address, which is a lot less problematic than committed unspent outputs.
'c' is nice because it lets the server preview the transaction (and
ACK/NACK it with a memo of their own -- e.g. 'fee too low'?) without being
able to broadcast it, so we know unspent outputs are not yet committed.
But all of these require too many changes to the protocol for my liking.
On Wed, 29 Jan 2014 21:47:51 -0800, Chuck <chuck+bitcoindev at borboggle.com>
wrote:
> 3. Customer builds a set of transactions and sends a new
> PaymentApprovalRequest message which includes a refund address and the
> unsigned transactions and their associated fully-signed transactionhash,
> the whole message signed with the private key of the refund address.
"Unsigned transactions and their associated fully-signed transaction hash"
-- isn't that a fully signed transaction? In this case, it doesn't solve
the core problem of the server being able to broadcast that transaction
without ACKing.
On Wed, 29 Jan 2014 21:47:51 -0800, Chuck <chuck+bitcoindev at borboggle.com>
wrote:
> In Step 3, it's critical the customer sign the message with the private
> key of the refund address, so that the merchant can be confident the
> refund address is correct.
For merchant confidence that the address is correct, we can leave the
transport security to the transport layer.
For payer proving refund address was X after merchant sends a refund to Y,
that's a different story. I don't think we want to *require* access to the
refund address private key. For example, BIP32 public derivation may have
just the pubkey available. Offline transaction signing is one thing, but
offline PP message signing is too much. I think there are better ways to
secure the refund address which can reuse existing code, and certainly the
option should remain to send a plain refund address just relying on
transport security and trusting the merchant.
Jeremy Spilman [ARCHIVE] /
npub10eā¦jc727
2023-06-07 15:12:39
in reply to nevent1qā¦w7dy
Author Public Key
npub10etkvm8l0jr0jsgdx02dxnhnu5g989dnca90guj5rklwkaplnh3sgjc727Published at
2023-06-07 15:12:39Event JSON
{
"id": "3c7bcf18f78238194977d6f2df8138f43bb2a23f306ed007d491b5714aa2e92e",
"pubkey": "7e57666cff7c86f9410d33d4d34ef3e5105395b3c74af472541dbeeb743f9de3",
"created_at": 1686150759,
"kind": 1,
"tags": [
[
"e",
"cd2b50b4c4e42fbfc1a32e56fc92dceb6f26c7bd94e21234287a2ef4a6ea523e",
"",
"root"
],
[
"e",
"6048696a31fa4c60cb9129bec1996aefbbc90b00bbba48e8c97ee0c0c85c3c83",
"",
"reply"
],
[
"p",
"5cb21bf5d7f25a9d46879713cbd32433bbc10e40ef813a3c28fe7355f49854d6"
]
],
"content": "š
Original date posted:2014-01-30\nš Original message:Please note, responding to Pieter and Chuck concurrently.\n\nOn Thu, 30 Jan 2014 07:16:54 -0800, Pieter Wuille \n\u003cpieter.wuille at gmail.com\u003e wrote:\n\u003e Currently, with the specification and implementation in Bitcoin Core,\n\u003e if a merchant wants to use the refund or memo feature, they need to\n\u003e provide an alternative route for delivering that information to them\n\u003e *before* the transaction is made, as sending the transaction may\n\u003e result in the transfer of funds without knowing what to do with it (if\n\u003e their receive server is down at the right time) and potnetially no way\n\u003e to contact the sender. This makes these fields utterly useless.\n\u003e\n\u003e This is not a matter of letting wallets experiment with the best\n\u003e behaviour. This is removing the ability to rely on the payment\n\u003e protocol being bidirectional.\n\nI think we want to separate the two issues;\n\n 1) Reliably getting refund/memo fields to the merchant/payee\n 2) Who broadcasts a TX, how it's retried, how outputs are 'locked' and \nif/when they should be [double]-spent to clear them\n\nWe should be able to solve '1' without having to fully spec out behavior \nfor 2.\n\nOn Thu, 30 Jan 2014 07:16:54 -0800, Pieter Wuille \n\u003cpieter.wuille at gmail.com\u003e wrote:\n\u003e I don't care whether wallets broadcast the transactions or not (they\n\u003e can experiment with that as they like). But we should take measures to\n\u003e prevent a transaction for being broadcast without the payment being\n\u003e delivered. One way is never broadcasting the transaction yourself.\n\u003e Another is retrying to send the payment if delivery fails.\n\u003e\n\u003e Here is what I would suggest to add to the specification:\n\u003e * If a payment_uri is specified, the client must attempt to send the\n\u003e payment there.\n\u003e * If a transaction is broadcast (which is permitted even if sending\n\u003e the payment fails), a client should make a reasonable attempt of\n\u003e delivering the payment (remembering, retrying, ...).\n\u003e * If a paymentACK has been received, the client is no longer\n\u003e responsible for broadcasting the transaction (but still may).\n\nTo reliably deliver refund/memo fields, we could;\n\n a) Send them as part of the initial request for the \nPaymentRequest/PaymentDetails\n b) Send them as a response to the PaymentRequest/PaymentDetails before \nthe transaction is even formed and any unspent outputs are selected\n c) Send them as a response to the PaymentRequest/PaymentDetails with the \nUNsigned transaction, and then follow up with the signed transaction in a \nseparate message.\n\n'a' is problematic because while wallet software could easily append some \ndata to the queryString, it doesn't work if the user is downloading then \nopening the PaymentRequest as a file. So 'a' is a no-go I think.\n\n'b' is fine, if not overly chatty. The only thing committed is a refund \naddress, which is a lot less problematic than committed unspent outputs.\n\n'c' is nice because it lets the server preview the transaction (and \nACK/NACK it with a memo of their own -- e.g. 'fee too low'?) without being \nable to broadcast it, so we know unspent outputs are not yet committed.\n\nBut all of these require too many changes to the protocol for my liking.\n\nOn Wed, 29 Jan 2014 21:47:51 -0800, Chuck \u003cchuck+bitcoindev at borboggle.com\u003e \nwrote:\n\u003e 3. Customer builds a set of transactions and sends a new \n\u003e PaymentApprovalRequest message which includes a refund address and the \n\u003e unsigned transactions and their associated fully-signed transactionhash, \n\u003e the whole message signed with the private key of the refund address.\n\n\"Unsigned transactions and their associated fully-signed transaction hash\" \n-- isn't that a fully signed transaction? In this case, it doesn't solve \nthe core problem of the server being able to broadcast that transaction \nwithout ACKing.\n\nOn Wed, 29 Jan 2014 21:47:51 -0800, Chuck \u003cchuck+bitcoindev at borboggle.com\u003e \nwrote:\n\u003e In Step 3, it's critical the customer sign the message with the private\n\u003e key of the refund address, so that the merchant can be confident the\n\u003e refund address is correct.\n\nFor merchant confidence that the address is correct, we can leave the \ntransport security to the transport layer.\n\nFor payer proving refund address was X after merchant sends a refund to Y, \nthat's a different story. I don't think we want to *require* access to the \nrefund address private key. For example, BIP32 public derivation may have \njust the pubkey available. Offline transaction signing is one thing, but \noffline PP message signing is too much. I think there are better ways to \nsecure the refund address which can reuse existing code, and certainly the \noption should remain to send a plain refund address just relying on \ntransport security and trusting the merchant.",
"sig": "fc47f4854fafd71cf0e970796d1834fbc5fd405f17e1c2d0d3e7bb713456d1808a985b961b09984ea0040fd036f9b786524373404734df812c3847ec00efb7cb"
}